Web Application Fundamentals & Testing Tools

Core Properties

• Stateless protocol: each request is independent — sessions maintained via cookies/tokens
• Request structure: Method + URI + HTTP version → headers (Host, User-Agent, Accept, Cookie, Authorization, Content-Type) → body (for POST/PUT)
• Response structure: Status line → headers (Set-Cookie, Content-Type, Location, X-Frame-Options, CSP) → body

HTTP Methods

• GET — retrieve resource; idempotent; no body
• POST — submit data; not idempotent; has body
• PUT — replace entire resource at URI
• PATCH — partial update of a resource
• DELETE — remove resource
• HEAD — headers only, no body (same as GET but no response body)
• OPTIONS — used in CORS preflight to query allowed methods
• TRACE — echoes request back to sender; often disabled; enables Cross-Site Tracing (XST)

HTTP Status Codes

• 1xx Informational — 100 Continue, 101 Switching Protocols
• 2xx Success — 200 OK, 201 Created, 204 No Content
• 3xx Redirect — 301 Permanent, 302 Temporary, 304 Not Modified
• 4xx Client Error — 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 405 Method Not Allowed, 429 Rate Limited
• 5xx Server Error — 500 Internal, 502 Bad Gateway, 503 Service Unavailable

TLS Handshake (simplified)

• ClientHello — client sends supported cipher suites & TLS versions
• ServerHello + Certificate — server selects cipher, sends cert
• Key Exchange — client verifies cert, derives session keys
• Finished — both sides confirm; encrypted tunnel established

Certificate & Trust

• Chain of trust: certificate signed by intermediate CA signed by root CA
• Validation checks: expiry, CN/SAN matching, CRL/OCSP revocation
• HSTS: HTTP Strict Transport Security — forces HTTPS on all future visits; prevents SSL stripping attacks
• Certificate pinning: app pins expected cert/public key — defeats MitM even with valid CA-signed cert; critical for Burp proxy setup (must add Burp CA)

TLS Versions

• SSLv2/SSLv3 — broken, deprecated
• TLS 1.0/1.1 — deprecated (vulnerable to POODLE, BEAST)
• TLS 1.2 — acceptable; widely deployed
• TLS 1.3 — current best; mandatory forward secrecy

Weak Cipher Suites (know for exam)

• RC4 — broken (biased keystream)
• DES/3DES — SWEET32 attack
• Export ciphers — FREAK attack
• Anonymous DH — no authentication; MitM trivial

Tool: testssl.sh automates TLS configuration assessment — checks versions, ciphers, certificate validity, HSTS, HPKP.

Tiers & Patterns

• Three-tier: Presentation (browser) → Logic (app server) → Data (database)
• MVC: Model (data/business logic) · View (UI rendering) · Controller (request handling)
• Client-side: browser executes HTML/CSS/JavaScript; DOM = in-memory tree of the page
• Server-side: processes requests, queries DB, returns responses

API Styles

• REST: stateless, resource-based URLs (/api/users/123), standard HTTP verbs, JSON responses
• SOAP: XML-based, WSDL service description, heavy legacy enterprise
• GraphQL: single endpoint, client specifies data shape — security risks: introspection leaks schema, deep queries cause DoS, batching attacks
• Microservices: many services via APIs — expanded attack surface per service

• JavaScript: executes in browser context — DOM manipulation, event handling, async requests
• AJAX: XMLHttpRequest and fetch() API — update page without full reload
• JSON: {"key": "value"} — JavaScript's native data format for API responses
• Same-Origin Policy (SOP): browser restricts JS from reading responses from different origins. Origin = scheme + domain + port (all three must match)
• CORS: server explicitly allows cross-origin reads via Access-Control-Allow-Origin header; OPTIONS preflight for non-simple requests
• JSONP: legacy cross-origin workaround using <script> tags — security risk if attacker-controlled endpoint

Cookie Security Flags

• HttpOnly — JavaScript (document.cookie) cannot read the cookie; prevents XSS-based theft
• Secure — cookie only sent over HTTPS connections
• SameSite=Strict — never sent on cross-site requests (strong CSRF protection)
• SameSite=Lax — sent on top-level navigations but not embedded requests
• SameSite=None — always sent cross-site; requires Secure flag

Input/Output Security

• Input validation: client-side = easily bypassed via proxy; server-side validation is authoritative
• Output encoding: escape special chars in correct context (HTML, JS, URL, CSS) to prevent injection

Intruder Attack Types (must memorize)

• Sniper — one payload set, cycles through one position at a time; other positions stay static. Best for single-point fuzzing.
• Battering Ram — one payload set, inserts same value in all positions simultaneously. Useful when same payload needed everywhere.
• Pitchfork — multiple payload sets (one per position), iterated in parallel (paired rows). Use for username + password combos from a list.
• Cluster Bomb — multiple payload sets, all combinations (Cartesian product). Full brute force — use sparingly; generates huge request volume.

• Free, open-source alternative and complement to Burp Suite
• Automated scanner: spider (crawls links) + active scan (sends probes) — good for broad vulnerability discovery
• Forced Browse: wordlist-based discovery of hidden files/directories
• Fuzzer: similar to Burp Intruder — parameter-level fuzzing
• WebSocket support: test real-time web application traffic
• API integration: scriptable via REST API — integrate into CI/CD pipelines for automated security testing

• Wfuzz: command-line fuzzer — wfuzz -c -z file,wordlist.txt http://target/FUZZ
• FFuF (Fuzz Faster U Fool): fast directory/file/parameter fuzzer — ffuf -w wordlist.txt -u http://target/FUZZ
• Gobuster: directory & file enumeration — gobuster dir -u http://target -w wordlist.txt
• DirBuster: GUI-based directory brute-forcer (OWASP project)
• Common wordlists: SecLists (Daniel Miessler), dirbuster lists, rockyou.txt (passwords)
• Fuzzing targets: URL paths (directory brute force), GET/POST parameters, headers, cookie values

Additional Recon Tools

• Nikto: web server scanner — outdated software, dangerous files, misconfigurations
• curl: command-line HTTP requests — great for scripting and quick manual testing
• nmap: nmap -sV -p 80,443,8080,8443 target — port scanning & service detection
• Whatweb/Wappalyzer: technology fingerprinting — identifies CMS, frameworks, server software
• testssl.sh: TLS/SSL configuration testing — cipher suites, protocol versions, cert validity

• Network tab: inspect all HTTP requests/responses, headers, timing, WebSocket frames
• Console: JavaScript execution, error messages, document.cookie, localStorage inspection
• Storage: cookies, localStorage, sessionStorage, IndexedDB — inspect and modify client-side state
• Debugger: JavaScript breakpoints, source map analysis, deobfuscate minified code
• Elements: DOM inspection and modification — remove client-side validation controls

• Phase 1: Information gathering — passive & active recon
• Phase 2: Configuration & deployment management testing
• Phase 3: Identity management testing
• Phase 4: Authentication testing
• Phase 5: Authorization testing
• Phase 6: Session management testing
• Phase 7: Input validation testing (SQLi, XSS, injection)
• Phase 8: Error handling
• Phase 9: Cryptography testing
• Phase 10: Business logic testing
• Phase 11: Client-side testing